Gmail Vulnerability Could Have Exposed Every Email Address

Security researcher Oren Hafif revealed that he had uncovered a vulnerability in Gmail that for years had left evry email address of every user potentially exposed, making accounts susceptible to phishing, spam, and unauthorized access attempts.

Hafif’s methodology exploited an account-sharing option which allows users to authorize other parties to access their accounts, and he only needed to alter a webpage URL that is generated when an unauthorized user attempts to gain entry to an account using the delegation feature.

By changing one character in the URL, Hafif discovered that the page would then display a different email address along with the “decline” message. He then automated the process with DirBuster and was able to harvest nearly 40,000 email addresses in only two hours.

“I could have done this potentially endlessly,” says Hafif. “I have every reason to believe every Gmail address could have been mined.”

Hafif disclosed the vulnerability to Gmail privately, and the flaw has since been mitigated prior to this public disclosure. Gmail says that at no time were any passwords at risk of exposure, but nonetheless the mining of email addresses with Hafif’s method could have been pay dirt for spammers and scammers.